WL14658: Implement MFA (multi factor authentication)

Author: silvakid

cppconn/connection.h

@@ -50,6 +50,9 @@
 #define OPT_HOSTNAME   "hostName"
 #define OPT_USERNAME   "userName"
 #define OPT_PASSWORD   "password"
+#define OPT_PASSWORD1  "password1"
+#define OPT_PASSWORD2  "password2"
+#define OPT_PASSWORD3  "password3"
 #define OPT_PORT       "port"
 #define OPT_SOCKET     "socket"
 #define OPT_PIPE       "pipe"

driver/mysql_connection.cpp

@@ -573,6 +573,42 @@ void MySQL_Connection::init(ConnectOptionsMap & properties)
       } else {
         throw sql::InvalidArgumentException("No string value passed for password");
       }
+    } else if (!it->first.compare(OPT_PASSWORD1)) {
+      try {
+        p_s = (it->second).get< sql::SQLString >();
+      } catch (sql::InvalidArgumentException&) {
+        throw sql::InvalidArgumentException("Wrong type passed for password1 expected sql::SQLString");
+      }
+      if (p_s) {
+        int num = 1;
+        proxy->options(sql::mysql::MYSQL_OPT_USER_PASSWORD, num, *p_s);
+      } else {
+        throw sql::InvalidArgumentException("No string value passed for password1");
+      }
+    } else if (!it->first.compare(OPT_PASSWORD2)) {
+      try {
+        p_s = (it->second).get< sql::SQLString >();
+      } catch (sql::InvalidArgumentException&) {
+        throw sql::InvalidArgumentException("Wrong type passed for password2 expected sql::SQLString");
+      }
+      if (p_s) {
+        int num = 2;
+        proxy->options(sql::mysql::MYSQL_OPT_USER_PASSWORD, num, *p_s);
+      } else {
+        throw sql::InvalidArgumentException("No string value passed for password2");
+      }
+    } else if (!it->first.compare(OPT_PASSWORD3)) {
+      try {
+        p_s = (it->second).get< sql::SQLString >();
+      } catch (sql::InvalidArgumentException&) {
+        throw sql::InvalidArgumentException("Wrong type passed for password3 expected sql::SQLString");
+      }
+      if (p_s) {
+        int num = 3;
+        proxy->options(sql::mysql::MYSQL_OPT_USER_PASSWORD, num, *p_s);
+      } else {
+        throw sql::InvalidArgumentException("No string value passed for password3");
+      }
     } else if (!it->first.compare(OPT_PORT)) {
       try {
         p_i = (it->second).get< int >();

driver/mysql_connection_options.h

@@ -68,7 +68,8 @@ enum MySQL_Connection_Options
   MYSQL_OPT_TLS_CIPHERSUITES,
   MYSQL_OPT_COMPRESSION_ALGORITHMS,
   MYSQL_OPT_ZSTD_COMPRESSION_LEVEL,
-  MYSQL_OPT_LOAD_DATA_LOCAL_DIR
+  MYSQL_OPT_LOAD_DATA_LOCAL_DIR,
+  MYSQL_OPT_USER_PASSWORD
 #else
   MYSQL_OPT_CONNECT_TIMEOUT, MYSQL_OPT_COMPRESS, MYSQL_OPT_NAMED_PIPE,
   MYSQL_INIT_COMMAND, MYSQL_READ_DEFAULT_FILE, MYSQL_READ_DEFAULT_GROUP,

driver/nativeapi/mysql_native_connection_wrapper.cpp

@@ -110,6 +110,7 @@ get_mysql_option(sql::mysql::MySQL_Connection_Options opt)
   case sql::mysql::MYSQL_OPT_COMPRESSION_ALGORITHMS: return ::MYSQL_OPT_COMPRESSION_ALGORITHMS;
   case sql::mysql::MYSQL_OPT_ZSTD_COMPRESSION_LEVEL: return ::MYSQL_OPT_ZSTD_COMPRESSION_LEVEL;
   case sql::mysql::MYSQL_OPT_LOAD_DATA_LOCAL_DIR: return ::MYSQL_OPT_LOAD_DATA_LOCAL_DIR;
+  case sql::mysql::MYSQL_OPT_USER_PASSWORD: return ::MYSQL_OPT_USER_PASSWORD;
 #else
   case sql::mysql::MYSQL_OPT_SSL_VERIFY_SERVER_CERT: return ::MYSQL_OPT_SSL_VERIFY_SERVER_CERT;
   case sql::mysql::MYSQL_OPT_USE_REMOTE_CONNECTION: return ::MYSQL_OPT_USE_REMOTE_CONNECTION;
@@ -340,6 +341,7 @@ MySQL_NativeConnectionWrapper::options(::sql::mysql::MySQL_Connection_Options op
   my_bool dummy= option_val ? '\1' : '\0';
   return api->options(mysql, get_mysql_option(option), &dummy);
 }
+/* }}} */
 
 
 /* {{{ MySQL_NativeConnectionWrapper::options(int &) */
@@ -349,6 +351,7 @@ MySQL_NativeConnectionWrapper::options(::sql::mysql::MySQL_Connection_Options op
 {
   return api->options(mysql, get_mysql_option(option), &option_val);
 }
+/* }}} */
 
 
 /* {{{ MySQL_NativeConnectionWrapper::options(SQLString &, SQLString &) */
@@ -361,6 +364,16 @@ MySQL_NativeConnectionWrapper::options(::sql::mysql::MySQL_Connection_Options op
 /* }}} */
 
 
+/* {{{ MySQL_NativeConnectionWrapper::options(int &, SQLString &) */
+int
+MySQL_NativeConnectionWrapper::options(::sql::mysql::MySQL_Connection_Options option,
+               const int &factor, const ::sql::SQLString &value)
+{
+  return api->options(mysql, get_mysql_option(option), &factor, value.c_str());
+}
+/* }}} */
+
+
 /* {{{ MySQL_NativeConnectionWrapper::get_option() */
 int
 MySQL_NativeConnectionWrapper::get_option(::sql::mysql::MySQL_Connection_Options option, const void * value)

driver/nativeapi/mysql_native_connection_wrapper.h

@@ -127,6 +127,8 @@ struct st_mysql* mysql;
   int options(::sql::mysql::MySQL_Connection_Options, const int &) override;
   int options(::sql::mysql::MySQL_Connection_Options,
         const ::sql::SQLString &, const ::sql::SQLString &) override;
+  int options(::sql::mysql::MySQL_Connection_Options,
+              const int &, const ::sql::SQLString &) override;
 
   int get_option(::sql::mysql::MySQL_Connection_Options, const void * ) override;
   int get_option(::sql::mysql::MySQL_Connection_Options,

driver/nativeapi/native_connection_wrapper.h

@@ -127,6 +127,9 @@ class NativeConnectionWrapper : public boost::noncopyable
   virtual int options(::sql::mysql::MySQL_Connection_Options,
             const ::sql::SQLString &,
             const ::sql::SQLString &) = 0;
+  virtual int options(::sql::mysql::MySQL_Connection_Options,
+                      const int &,
+                      const ::sql::SQLString &) = 0;
 
   virtual int get_option(::sql::mysql::MySQL_Connection_Options, const void *) = 0;
   virtual int get_option(::sql::mysql::MySQL_Connection_Options,

test/unit/classes/connection.cpp

@@ -3741,5 +3741,143 @@ void connection::dns_srv()
   }
 }
 
+void connection::mfa()
+{
+  logMsg("connection::mfa - multi factor authentication");
+
+  try {
+    stmt->execute("UNINSTALL PLUGIN cleartext_plugin_server");
+  }  catch (...) {
+  }
+
+  try {
+    stmt->execute("INSTALL PLUGIN cleartext_plugin_server SONAME 'auth_test_plugin.so'");
+  }  catch (...) {
+    SKIP("Server doesn't support auth test plugin cleartext_plugin_server");
+  }
+
+  struct MFA_TEST_DATA
+  {
+    const char* user;
+    const char* pwd;
+    const char* pwd1;
+    const char* pwd2;
+    const char* pwd3;
+    bool succeed;
+  };
+
+
+  MFA_TEST_DATA test_data[] =
+  {
+  // user1 tests
+  {"user_1f", "pass1", nullptr, nullptr, nullptr, true  },
+  {"user_1f", "pass1", "pass1", nullptr, nullptr, true  },
+  {"user_1f", "badp1", "pass1", nullptr, nullptr, true  },
+  {"user_1f", nullptr, "pass1", nullptr, nullptr, true  },
+
+  {"user_1f", nullptr, nullptr, nullptr, nullptr, false },
+  {"user_1f", "badp1", "badp1", "pass1", nullptr, false },
+  {"user_1f", nullptr, nullptr, "pass1", nullptr, false },
+  {"user_1f", nullptr, nullptr, nullptr, "pass1", false },
+
+  // user2 tests
+  {"user_2f", "pass1", nullptr, "pass2", nullptr, true  },
+  {"user_2f", "pass1", "pass1", "pass2", nullptr, true  },
+  {"user_2f", "badp1", "pass1", "pass2", nullptr, true  },
+  {"user_2f", nullptr, "pass1", "pass2", nullptr, true  },
+
+  {"user_2f", "pass2", nullptr, "pass1", nullptr, false },
+  {"user_2f", "pass2", "pass2", "pass1", nullptr, false },
+  {"user_2f", "pass2", "badp2", "pass1", nullptr, false },
+  {"user_2f", nullptr, "pass2", "pass1", nullptr, false },
+
+  {"user_2f", "pass1", nullptr, nullptr, "pass2", false },
+  {"user_2f", "pass1", "pass1", nullptr, "pass2", false },
+  {"user_2f", "badp1", "pass1", nullptr, "pass2", false },
+  {"user_2f", nullptr, "pass1", nullptr, "pass2", false },
+
+  {"user_2f", "pass1", nullptr   , "badp1", "pass2", false },
+  {"user_2f", "pass1", "pass1", "badp1", "pass2", false },
+  {"user_2f", "badp1", "pass1", "badp1", "pass2", false },
+  {"user_2f", nullptr   , "pass1", "badp1", "pass2", false },
+
+  // user3 tests
+  {"user_3f", "pass1", nullptr   , "pass2", "pass3", true  },
+  {"user_3f", "pass1", "pass1", "pass2", "pass3", true  },
+  {"user_3f", "badp1", "pass1", "pass2", "pass3", true  },
+  {"user_3f", nullptr   , "pass1", "pass2", "pass3", true  },
+
+  {"user_3f", "pass1", nullptr   , "pass3", "pass2", false },
+  {"user_3f", "pass1", "pass1", "pass3", "pass2", false },
+  {"user_3f", "badp1", "pass1", "pass3", "pass2", false },
+  {"user_3f", nullptr   , "pass1", "pass3", "pass2", false },
+
+  {"user_3f", "pass3", nullptr   , "badp1", "pass2", false },
+  {"user_3f", "pass3", "pass3", "badp1", "pass2", false },
+  {"user_3f", "pass3", "badp3", "badp1", "pass2", false },
+  {"user_3f", nullptr   , "pass3", "badp1", "pass2", false },
+
+  {"user_3f", "pass1", nullptr   , "pass2", "badp3", false },
+  {"user_3f", "pass1", "pass1", "pass2", "badp3", false },
+  {"user_3f", "badp1", "pass1", "pass2", "badp3", false },
+  {"user_3f", nullptr   , "pass1", "pass2", "badp3", false },
+
+  };
+
+
+  stmt->execute("drop user if exists  user_1f");
+  stmt->execute("drop user if exists  user_2f");
+  stmt->execute("drop user if exists  user_3f");
+
+  stmt->execute("create user user_1f IDENTIFIED WITH cleartext_plugin_server BY 'pass1'");
+  stmt->execute("create user user_2f IDENTIFIED WITH cleartext_plugin_server BY 'pass1' "
+                "AND IDENTIFIED WITH cleartext_plugin_server BY 'pass2'; ");
+  stmt->execute("create user user_3f IDENTIFIED WITH cleartext_plugin_server by 'pass1' "
+                "AND IDENTIFIED WITH cleartext_plugin_server BY 'pass2' "
+                "AND IDENTIFIED WITH cleartext_plugin_server BY 'pass3'; ");
+
+
+  auto check_connection = [this] (sql::Connection* conn) -> void
+  {
+    std::unique_ptr<sql::Statement> my_stmt(conn->createStatement());
+    std::unique_ptr<sql::ResultSet> my_res(my_stmt->executeQuery("select @@version"));
+    my_res->next();
+    std::string version = my_res->getString(1);
+
+    logMsg(std::string("Server Version ")+version);
+
+    delete conn;
+  };
+
+  for(auto &data : test_data)
+  {
+    sql::ConnectOptionsMap opt;
+    opt[OPT_ENABLE_CLEARTEXT_PLUGIN] = true;
+    opt[OPT_USERNAME] = data.user;
+    if(data.pwd)
+      opt[OPT_PASSWORD] = data.pwd;
+    if(data.pwd1)
+      opt[OPT_PASSWORD1] = data.pwd1;
+    if(data.pwd2)
+      opt[OPT_PASSWORD2] = data.pwd2;
+    if(data.pwd3)
+      opt[OPT_PASSWORD3] = data.pwd3;
+
+    if(data.succeed)
+    {
+      check_connection(getConnection(&opt));
+    }
+    else
+    {
+      try {
+        getConnection(&opt);
+        FAIL("Should fail to connect");
+      }  catch (sql::SQLException&) {
+      }
+    }
+  }
+
+}
+
 } /* namespace connection */
 } /* namespace testsuite */

test/unit/classes/connection.h

@@ -91,6 +91,7 @@ class connection : public unit_fixture
   TEST_CASE(cached_sha2_auth);
   TEST_CASE(socket);
   TEST_CASE(dns_srv);
+  TEST_CASE(mfa);
   }
 
   /**
@@ -283,6 +284,13 @@ class connection : public unit_fixture
    */
   void dns_srv();
 
+  /*
+   * Test of MySQL_Connection::mfa()
+   *
+   */
+  void mfa();
+
+
 };